Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

What you *actually* know are the follow-up steps you would take *at this point* given the information provided in the article.

The part you (and every other armchair quarterback on this thread) ignore is that the data provided is the *result* of research. This is information you simply would not possess when approaching a suspected infected system with zero additional knowledge regarding the nature of the infection.

If a machine cannot be restored to its default clean state there is clearly either a hardware defect or the firmware has been modified. Determining that takes about an hour, not three years!

If a machine cannot be restored to its default clean state there is clearly either a hardware defect or the firmware has been modified. Determining that takes about an hour, not three years!

Okay, how do you determine if "the firmware has been modified", considering all the firmware, including in for example wired NICs that aren't plugged in, internal USB hubs, the trackpad, the camera, all the drives...

("The firmware", considered in its entirety, isn't just the stuff processed by the main CPU and used to make the BIOS go.)

"Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed"... "the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps."

Payload runs ubiquitously on BSD, Linux, Windows and MacOS? Able to launch payload on any/all UEFI and BIOS hardware? Undetectable on filesystems? Undetectable agents? Bridging airgaps with power cord unplugged?

If a machine cannot be restored to its default clean state there is clearly either a hardware defect or the firmware has been modified. Determining that takes about an hour, not three years!

Okay, how do you determine if "the firmware has been modified", considering all the firmware, including in for example wired NICs that aren't plugged in, internal USB hubs, the trackpad, the camera, all the drives...

("The firmware", considered in its entirety, isn't just the stuff processed by the main CPU and used to make the BIOS go.)

But that is effectively the only place where you can inject a root kit that really survives a cold re-install.

What you *actually* know are the follow-up steps you would take *at this point* given the information provided in the article.

The part you (and every other armchair quarterback on this thread) ignore is that the data provided is the *result* of research. This is information you simply would not possess when approaching a suspected infected system with zero additional knowledge regarding the nature of the infection.

If a machine cannot be restored to its default clean state there is clearly either a hardware defect or the firmware has been modified. Determining that takes about an hour, not three years!

This is one of the many red flags in this.

With all due respect, it's painfully obvious that you have never been professionally involved with incident response in either a production or research environment.

Unbelievable. Governments had the technology that made Flame and Stuxnet possible at least three years ago. Just because you may not be aware of something does not mean that it does not exist. Thinking critically should not mean closing your mind.

Interestingly enough, 80% appear to be from seemingly uninformed morons babbling about a hoax.

With your definition of "seemingly uninformed morons" apparently being the ability to in fact detect that hoax and to point out why it is one.

Let's see. On one hand we have pretty much the cream of the crop in high-end professional security research saying "this is something we should be taking seriously and looking at closer"

On the other hand we have a herd of spazoids on some blog's comments who clearly don't know what they are talking about stroking their own egos making demonstratively comical assertions about how security research works.

Interestingly enough, 80% appear to be from seemingly uninformed morons babbling about a hoax.

With your definition of "seemingly uninformed morons" apparently being the ability to in fact detect that hoax and to point out why it is one.

Let's see. On one hand we have pretty much the cream of the crop in high-end professional security research saying "this is something we should be taking seriously and looking at closer"

On the other hand we have a herd of spazoids on some blog's comments who clearly don't know what they are talking about stroking their own egos making demonstratively comical assertions about how security research works.

Hmmmmm. Call me crazy. I'll stick with the professionals.

Are you talking about this malware or about the global climate change debate?

So a virus is using the internal speakers and microphones in laptops to network itself. How come I can barely make intelligible recordings with my built in microphone when I try, yet it is able to do high frequency acoustical coupled networking?

What sort of error correction algorithm is able to filter out all the background noise and isolate the signal from a microphone? That might have more useful and financially lucrative applications than spying on some hacker...

No one said the network had to be fast. Think about what it really is: a handful of ultrasonic frequencies that can be quite far apart from each other played slowly by modern standards. How much fidelity and error correction do you really need to handle 300 baud for example. That was plenty good for millions of telnet connections to mainframes throughout the early 80's. Can't manage remotely sending low-level command line entries with that? Of course you can.

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

It could be an error I mean people are only human. This just seems so far fetched to me. I would like to see some of these infected machines given to other researchers. Maybe someone needs to create a virtual USB controller and read the drives to see what data is actually being sent.

Okay, how do you determine if "the firmware has been modified", considering all the firmware, including in for example wired NICs that aren't plugged in, internal USB hubs, the trackpad, the camera, all the drives...

("The firmware", considered in its entirety, isn't just the stuff processed by the main CPU and used to make the BIOS go.)

Gosh, if only there was something like a checksum that could check the entire flash memory where this is stored...

It's not impossible to detect if BIOS has been subverted. Certainly not easy as dealing with an attacker who gets to run arbitrary Ring0 code on each keypress is non-trivial, but attempting to flash the BIOS with a known image, doing a checksum, and checking for specific nonstandard behaviors inserted into the new BIOS will flush it out over time. Like "stall for 2 seconds when 'b' is pressed". Trivial to check if that change is there, impossible to write malware that could detect such a small patch in the BIOS and take it without wiping itself out.

Antenna for what? Where's the transmitter? Where's the receiver? What's the carrier, and what's being modulated? Wireless is a heckuva lot more complex.

It's totally within the realm of imagination that it's possible to make an antenna out of a single board. No question.

Writing a program to do it on arbitrary hardware? Sorry, nope. RF engineers are $300/hour and it would take one several months to do the single known-board hack. It's utterly impossible that the entire RF discipline has been so thoroughly obviated. It's tantamount to assuming capitalism has failed. If money could solve this, money would have.

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

It could be an error I mean people are only human. This just seems so far fetched to me. I would like to see some of these infected machines given to other researchers. Maybe someone needs to create a virtual USB controller and read the drives to see what data is actually being sent.

Doesn't actually have to be on the drives. Remember that drives have firmware. If the firmware on the USB device can directly infect the firmware on a USB hub, the OS might have no way to know. (How many USB thumb drives have you seen that give you a way to read or write their firmware as opposed to their content?)

Irony: USB thumb drives that claim to implement security should have a considerably larger and more complex firmware to begin with...

What you *actually* know are the follow-up steps you would take *at this point* given the information provided in the article.

The part you (and every other armchair quarterback on this thread) ignore is that the data provided is the *result* of research. This is information you simply would not possess when approaching a suspected infected system with zero additional knowledge regarding the nature of the infection.

If a machine cannot be restored to its default clean state there is clearly either a hardware defect or the firmware has been modified. Determining that takes about an hour, not three years!

This is one of the many red flags in this.

With all due respect, it's painfully obvious that you have never been professionally involved with incident response in either a production or research environment.

You simply don't know what you are talking about.

Thank you for your insightful and detailed factual response.

I have not had this case with a Mac yet, but being in embedded hardware and software development (among many other things over the years) does have taught me a thing or two about a methodical approach to difficult symptoms.

So, which other reasons for a clean wipe and cold re-install failing other than hardware defect or firmware modification do you propose?

Interestingly enough, 80% appear to be from seemingly uninformed morons babbling about a hoax.

With your definition of "seemingly uninformed morons" apparently being the ability to in fact detect that hoax and to point out why it is one.

Let's see. On one hand we have pretty much the cream of the crop in high-end professional security research saying "this is something we should be taking seriously and looking at closer"

On the other hand we have a herd of spazoids on some blog's comments who clearly don't know what they are talking about stroking their own egos making demonstratively comical assertions about how security research works.

Hmmmmm. Call me crazy. I'll stick with the professionals.

Special pleading for expertise and ad hominem attacks on skeptics. At no point are the claims supported or criticized with logical arguments, disputations, or corroborating evidence.

"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."

"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."

It took an industry expert three years to work that out...?

There is something really weird about the timing described in this article. 3 years is a long time for a single researcher to work on a virus that seems so confounding. You're telling me he never included anyone else on this three year odyssey? Very bizarre, that.

Gosh, if only there was something like a checksum that could check the entire flash memory where this is stored...

There is no "entire flash memory where this is stored". On my own hardware, the firmware on the hard drive is not in flash memory that's directly addressable by the CPU.

To my knowledge, neither is the firmware on the NIC. Neither is the firmware on the other NIC. Neither is the firmware on the video card. Neither is the firmware on the sound card.

(There's no publicized way to write the firmware on some of these devices, because the vendor didn't allow for post-sale updates at all. In other devices, the way you update the firmware is via a protocol the old firmware implements, not direct flash memory writes. In some of those cases, there may be no common way to read the firmware -- if the firmware can report its version and receive updates, why would you need to actually read it?)

Heck, on my phone, the firmware in the part that runs the OS and the firmware in the part that does the communication with the radio tower aren't in remotely the same place.

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer.

Methinks “observed” is not the word for postulating a field of an unknown nature. Spooky, unexpected behavior on two machines both believed to be infested with malware is about the worst possible environment, in fact, for claiming an unobserved transmission was “observed.”

If we're to take this seriously as anything other than an elaborate hoax, we ought to pay attention to ordinary accurate language. (And for hoaxers, if they be that: McGuffins work best if they are less, not more, fantastical than the underlying mystery. This aspect would lead people to say this is the intended “giveaway” that it is a hoax.)

"Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed"... "the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps."

Payload runs ubiquitously on BSD, Linux, Windows and MacOS? Able to launch payload on any/all UEFI and BIOS hardware? Undetectable on filesystems? Undetectable agents? Bridging airgaps with power cord unplugged?

Nope. Bullshit.

Somebody is either hoaxing, selling something, or mentally ill.

I think it's quite possible. If we dig the report of Dragos Ruiu, he only checked on newer system running on i3, i5, i7 CPU's. Modern system are a black-box and embedded codes on peripherals and components were not audited and verified.

What happens if malware is intentionally tried on NT or 2000 or XP or Linux on older PIII or PIV machines then check again. Because the malware could be in modern laptop itself (with i3,i5,i7). Could be in USB mouse, Touchpad, Camera, Modem, NIC, Flash Controller, UEFI or PCI components.

@dfjdejulio is clearly thinging the same thing I am, but perhaps not as clearly stated:

1) The initial infection obviously had to be from a "normal" attack vector: USB, Internet, supply chain, etc.

2) The infection modifies the BIOS as a rootkit, in order to allow the attacker control over the computer.

3) The infection survives "clean" installs that involve wiping the BIOS and original optical media.

4) There are existing proof-of-concepts for malware in other non-volatile memory devices such as keyboard controllers, NIC controllers, etc.

5) It may be possible that malware in another non-BIOS system device can re-install the rootkit.

Also, regarding how "ultrasonic packets" were observed without observing actual ultrasonic communications, the suspected method tethers two machines, one networked, one airgapped. The unexplained packets would be observable on the network side, and the drop/change in traffic would be observed when disconnecting the mic and speakers as described.

I don't see any need for hocus-pocus to explain it, but this is scary!

Let's see. On one hand we have pretty much the cream of the crop in high-end professional security research saying "this is something we should be taking seriously and looking at closer"

On the other hand we have a herd of spazoids on some blog's comments who clearly don't know what they are talking about stroking their own egos making demonstratively comical assertions about how security research works.

Hmmmmm. Call me crazy. I'll stick with the professionals.

So your argument is blind, uncritical hero worship accompanied by a complete disregard for critical reasoning and plausibility.

But I guess that goes together perfectly with the low-grade ad-hominems in your posts.

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

... and hoaxers are incapable of building up to their grand scheme over months and years and even decades. Right. It's happened before.

No, this is too crazy and the publication date of this story is too convenient. I suppose it's possible but I just can't buy it yet.

I can wrap my head around something overwriting the BIOS, updating firmware on specific controllers to drop a payload. Scary stuff that is feasible but implausible, it would require a ton of time to program for a specific hardware platform that may not be in production/use the next year. The "air gapped" (no traditional networking devices attached) computers with badBIOS infections give me pause though: I remember coupled modems.

I know that a motherboard speaker (piezo tweeter) is perfect for giving out high frequency sounds, but this would be a half-duplex solution that would operated from a infected OS, not just BIOS-infected based. The computers would have to be extremely close to each other. And the speeds would be horrible, especially since this is an A/D conversion they would need some solomon-reed correction in there at some point to account for background noise made by other noisy electronic devices...

So to recap, you would need to infected computers, and not just 2 computers with infected BIOS's. To do air-gapped communication, they would have to be within a foot (two at best) of eachother, anything else would be futile. The speeds would be much less than a 56k connection (It wasn't mentioned in the article if this was bi-directional communication, but uni-directional/UDP spew would make much more sense to me in this borderline-crazy scenario). I'm not sure how this guy was able to report network traffic on his machine as you need a "bridge tap" to tap into an existing network interface for monitoring. If the machines didn't have NIC's, or bluetooth, what exactly did you tap to see network packets being sent or received?

Is there bad stuff out there that can infect machines pretty easily? Sure. I am not a security researcher but I am reasonably secure in the abilities of an above-average human dealing with computers, and this is easily the shark-jumper of believability. I'm not saying this guy is lying, he seems like a good guy from his facebook, I'm just saying I want to see a lot more proof.

So... I'm not going to read through every comment here, but the situation of an airgapped laptop + transferring data via USB keys matches the situation that the reporter relaying the Snowden articles has been using to keep his data safe. If nothing else, I think that's an interesting coincidence.

It describes, in part, something similar to a small part of the "BadBIOS" behavior, on Windows machines with one of 132 specific motherboards. It describes theoretical means of infection vectors, one actual tested infection vector requiring physical access to the machine, detection avoidance of several AV systems on Windows, and BIOS manipulation of a small array of x86 BIOS hardware. UEFI is not discussed. Mac hardware is not discussed BSD infection is not discussed. Airgaps and self healing are not discussed.

Gosh, if only there was something like a checksum that could check the entire flash memory where this is stored...

There is no "entire flash memory where this is stored". On my own hardware, the firmware on the hard drive is not in flash memory that's directly addressable by the CPU.

To my knowledge, neither is the firmware on the NIC. Neither is the firmware on the other NIC. Neither is the firmware on the video card. Neither is the firmware on the sound card.

(There's no publicized way to write the firmware on some of these devices, because the vendor didn't allow for post-sale updates at all. In other devices, the way you update the firmware is via a protocol the old firmware implements, not direct flash memory writes. In some of those cases, there may be no common way to read the firmware -- if the firmware can report its version and receive updates, why would you need to actually read it?)

Heck, on my phone, the firmware in the part that runs the OS and the firmware in the part that does the communication with the radio tower aren't in remotely the same place.

I thought it was kinda obvious I was talking about flashing the BIOS. Since, you know, he called it "badBIOS" and talks all about flashing the BIOS and my specific example was directly related to the BIOS. But sure, let's run with this idea that it's not just boards, we're going after the entire peripheral space.

So instead of this malware which can infect hundreds of devices from dozens of vendors, we're talking about one that can infect millions of devices from thousands of vendors. And can still hide itself on an arbitrary USB key. I don't think you're making this vector more credible with this supposition. Did you?